Businesses are increasingly dependent on information technology. Information systems are becoming increasingly more complex, higher-powered, inter-connected, and openly accessible to partners and customers over vastly distributed networks. The business environment has increasingly shifted from face-to-face interactions to largely anonymous electronic transactions. Software development itself is becoming more distributed through offshore development arrangements and intra-company collaborative computing. These trends strain the ability of organizations to secure and protect digital data from misuse or unauthorized access.
Nearly every major business critical application deployed today contains vulnerabilities that can be exploited to cause considerable harm to the business or the assets it manages. These vulnerabilities can be leveraged to steal important information, sabotage computer systems or influence processing for the profit or malicious intent of the attacker.
For an experienced hacker or rouge insider, manipulating software to this end is made especially easy due to the variety of information and tools available on-line. An attacker's biggest challenge is simply finding the vulnerabilities in the context of a large business application. Compounding the problem, mainstream computer security solutions, such as firewalls, are based on the premise that exposed and vulnerable software can be protected by isolating it from the dangers of the outside world. Business requirements dictate that few business critical applications can be truly isolated. Most have numerous access points via data transfer interfaces, remote procedure calls, and internal and remote users. Firewalls and other network-oriented security solutions are not configured to block the type of access that business critical applications require. In fact, today's business functions rely on this access so much that they would fail to operate if denied. For example, the stock market would fail to execute trades without the links from brokers to the exchanges, supply chains would break without information flowing between suppliers and producers, and telecommunications would cease without the ability to connect cell phones to the computers that control the network or the billing systems that underlie the business. Attackers make use of these facts to compromise systems every day. The true flaw in the outside-in premise, however, is that vulnerable software can be protected at all—somehow made un-vulnerable.
Given this background, a question naturally presents itself: Why are network-based computer security solutions applied to what is clearly a software problem? One answer is that most information security practitioners have network security backgrounds and are spread thin resolving operational security issues, leaving little time to interact with the core software development process. At the same time, application developers are rewarded for producing new features against tight deadlines, with little room for security considerations. Rarely does any one person own responsibility for the security elements of the application itself. Conventional practice has been that development gets the business critical application shipped, and network operation teams will secure it. The dichotomy of these roles creates an extraordinary advantage for the attacker—they are the only ones truly experienced and focused on software security or more precisely business critical application insecurity.
Experts in and around software development have increasingly acknowledged that something must be done about software security. Nevertheless, coherent and practical solutions have not been identified. There are a number of factors that make solutions difficult to identify. For example, software security vulnerabilities are subtle, logical errors that can span thousands of lines of code, making accurate detection with reasonable performance extremely difficult. At first glance, the technology challenges make such a solution appear more akin to compilers or niche development tools. The large software development tools vendors, however, have not made security a core part of their offerings. Their customer base is still largely focused on how to improve creation of features and functionality—and the vendors' internal teams cannot easily recognize a changing paradigm while they work to improve the feature sets of their single-purpose products. This is a classic innovators dilemma. In addition, the high volume development tool providers are not adept at delivering enterprise-like solutions that a risk management system requires or sustaining the price points needed to support such a solution. Indeed, the current state of development tool pricing has generally discouraged the security community from building developer-oriented solutions.
Apart from the downsides inherent in the development tool landscape, software security requires specialized expertise in a constantly changing field. The problem is not just about finding technology to scan code, but includes creating and continually updating rules to detect these vulnerabilities. Delivering the rules requires expert knowledge of a constantly growing body of research and real-world architectures, frameworks, use patterns and many other factors that cause vulnerabilities in business critical applications. For example, every release of an operating system or library application program interfaces (APIs) introduces new ways to make mistakes that lead to security vulnerabilities. Vendors must deliver solutions that account for these cross-boundary, multi-platform architectures.
Finally, it is unlikely that software security can be accomplished by a single point solution. Similarly, it is unlikely that software security can be addressed solely at the developer level. Software security is largely a risk management problem. Addressing such a problem requires detailed information collected over time. It requires an approach that keeps software developers as productive as before, yet makes security metrics visible to management during development, testing and deployment. It requires an enterprise software-like solution for managers and organizations.
In view of the foregoing, it would be highly desirable to provide an improved technique for software security.